Skip to content

Commit f3dc89b

Browse files
author
David Cooke
authored
patch unauthenticated users being able to read sensitive config fields by viewing them individually instead of listing them (#37)
1 parent 41edf92 commit f3dc89b

File tree

2 files changed

+9
-3
lines changed

2 files changed

+9
-3
lines changed

Diff for: src/config/config.py

+4
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,10 @@ def get_all_non_sensitive():
6464
return config
6565

6666

67+
def is_sensitive(key):
68+
return key in backend.get('sensitive_fields')
69+
70+
6771
def set_bulk(values: dict):
6872
for key, value in values.items():
6973
set(key, value)

Diff for: src/config/views.py

+5-3
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
from rest_framework.status import HTTP_400_BAD_REQUEST
1+
from rest_framework.status import HTTP_400_BAD_REQUEST, HTTP_403_FORBIDDEN
22
from rest_framework.views import APIView
33

44
from backend.response import FormattedResponse
@@ -12,10 +12,12 @@ class ConfigView(APIView):
1212

1313
def get(self, request, name=None):
1414
if name is None:
15-
if request.user.is_staff:
15+
if request.user.is_superuser:
1616
return FormattedResponse(config.get_all())
1717
return FormattedResponse(config.get_all_non_sensitive())
18-
return FormattedResponse(config.get(name))
18+
if not config.is_sensitive(name) or request.is_superuser:
19+
return FormattedResponse(config.get(name))
20+
return FormattedResponse(status=HTTP_403_FORBIDDEN)
1921

2022
def post(self, request, name):
2123
if "value" not in request.data:

0 commit comments

Comments
 (0)